Comcast Migrating Customers To DNSSEC Resolvers 196
ctg1701 passes along this quote from a Comcast announcement:
"Starting today we will begin migrating customers who have opted out of our Domain Helper service over to our production DNSSEC-validating servers. This will happen first in a selected part of our Virginia network, and will later expand to all markets in the following sixty days, at which point all of our customers who have opted out of Domain Helper will be migrated. After this has been completed, we will migrate the rest of our customers, which we anticipate will stretch into the early part of 2011."
domain helper? (Score:3, Informative)
Meh ... 8.8.8.8 (Score:1, Informative)
My router is already set up to ignore Comcast's DHCP provided DNS, and use 8.8.8.8 and 8.8.4.4 anyway... Substitute your own favorite public DNS resolver (or install OpenWRT and use its djbdns if you prefer).
Some more information... (Score:4, Informative)
Re:What is this? (Score:3, Informative)
Re:opendns or google dns? (Score:3, Informative)
Re:a bit confused (Score:4, Informative)
Re:a bit confused (Score:1, Informative)
It would work normally, just not protected by DNSSEC.
Ever since ROOT and COM were signed, any site that wanted to roll it out could.
Re:What is this? (Score:5, Informative)
For those of us on Comcast, what does this mean?
Whenever I am offered the opportunity to opt out of something by a company, I know it's probably a good idea to opt out.
Also, I've had very flaky internet service the past week or so, although I am not in this market (Minneapolis area). My equipment all seems to work fine, and of course there could be any number of causes, but this seems interesting.
DNSSEC security is an Internet standard and it means that we are enabling it for our domains and will validate others once it is rolled out globally. I suggest you read through http://www.dnssec.comcast.net/faq.htm which explains why we are rolling this out and what it means for our customers.
Thanks
Chris
Comcast
Re:What is this? (Score:5, Informative)
What this means is that COMCST is now going to tell their customers that your only allowed to visit websites that have joined the system. They may be selling this as security, but make no mistake this is also a huge control system. I may have to cancel my service with them, when this happens. The simply fact is you may have some legimate website who choose willfully NOT to partake in such a control scheme. I may need to visit such a site and COMCST is going to essentially tell me I can't visit that site. No thanks, I don't need a big brother. I'm an adult and I can take care of my own computers and I don't need COMCST protecting me. I don't give a crap what they say, I alone should have the right to decide where I can and can't go on the internet, unless of course you don't believe in freedom. Just give me the fully open internet service I pay for ya dern COMCST Commies!!! Quit interferring with my traffic.
-Anonymous Coward (yeah right like they can't track you down by your ip the way the RIAA is racketering everybody)
You have clearly not read anything about DNSSEC and how this actually ensures you get the traffic you requested without anyone - including Comcast - interfering with your DNS requests. I highly recommend you read http://www.dnssec.comcast.net/faq.htm so you can understand why we are doing this and why the global Internet and DNS is moving to this standard.
Thanks
Chris
Comcast
Re:opendns or google dns? (Score:3, Informative)
OpensDNS has the same flaws as Comcast's Domain Helper service (ie does not return NXDOMAIN), GoogleDNS has some issues I can't remember and for us has pretty significant latency.
Currently neither support DNSSEC validation and with us enabling DNSSEC on our recursive resolvers, we are disabling Domain Helper. Please check out http://www.dnssec.comcast.net/faq.htm for more details.
Thanks
Chris
Comcast
Re:domain helper? (Score:5, Informative)
Domain helper.. is that the crap that automatically relocates you to some ad serving search website when you input an unrecognized dns in the web browser? That kind of crap is why I switched to 4.1.1.1
We will be disabling Domain Helper on our recursive resolvers and you will also get DNSSEC validation by using our Anycast resolvers. There is no redirection and you will also get the protections enabled by DNSSEC.
Thanks
Chris
Comcast
This is a GOOD thing (Score:3, Informative)
I've been using these months while they've been available for testing. The very nature of DNSSEC kills the 404 helper service, and provides an extra level of security. For anyone that wants to use them now without being migrated automatically someday, just use 75.75.75.75 and 75.75.76.76 for the DNS.
Re:Meh ... 8.8.8.8 (Score:1, Informative)
My router is already set up to ignore Comcast's DHCP provided DNS, and use 8.8.8.8 and 8.8.4.4 anyway... Substitute your own favorite public DNS resolver (or install OpenWRT and use its djbdns if you prefer).
While you could do any of the following, Comcast DNS servers should provide a fast response and better localization than third party resolvers. We also will now have DNSSEC validation turned on to enable another level of security that none of the third party resolvers currently offer.
Hopefully you will give us a try and take a look at http://www.dnssec.comcast.net/faq.htm for details.
Thanks
Chris
Comcast
Re:For Webmasters? (Score:2, Informative)
What does this mean for webmasters? Are all of us going to need DNSSEC keys on our websites or does this just apply to comcast's array of websites? I wasn't aware that DNS had any kind of security issue which would warrant a revamp. How will this affect the future of the web?
This has little to do with websites and more to do with the zones in the DNS for the websites. This adds an additional layer to protect the DNS from attacks. I suggest if you want more information, please read the following: http://www.dnssec.comcast.net/faq.htm
Thanks
Chris
Comcast
Re:What is this? (Score:5, Informative)
Oh great. CCast sent shills already.
Actually I am one of the engineers that run the DNS at Comcast, but if you consider me a shill, so be it.
Re:migrate (Score:5, Informative)
If you're stuck with Comcast, there's an "alternative" that's often the best way to go: Comcast Business Internet service. It's run by a separate division of the company from the residential services, one that actually has competition and a decent customer service mindset. The business side also seems to completely avoid stupid stuff like Domain Helper in the first place. For those of you who still use TV or want other Comcast services, note that you can (and want to) mix-and-match Residential and Business services. For example, Residential for TV and Business for Internet -- the business rep who set up my account actually called this out and recommended it to avoid unnecessary restrictions on TV use applied to business accounts (e.g. no DVRs, etc.).
Re:What is this? (Score:3, Informative)
Are you guys running any tests in Seattle at night? DNS lookups regularly fail after midnight and are generally really spotty from midnight on. It's not a connectivity issue because I can always ssh using an ip address even when my web browser can't load pages due to lookup failures.
No we are not running any tests and our DNS is up and responding. If you are having issues, I would suggest stopping by our customer forums at http://forums.comcast.net to get help.
Thanks
Chris
Comcast
Re:What is this? (Score:5, Informative)
Stop posting press release posts.
Here is some non-Comcastic information - http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions [wikipedia.org]
Chris what is your non-biased take on Comcast forging TCP reset packets and terrible quality HD?
I also should mention that reading Wikipedia isn't the most reliable source, although that one is fairly good. I might suggest looking at the following if you don't care for Comcast's write up:
https://www.dnssec-deployment.org/
or the RFCs:
http://tools.ietf.org/html/rfc4033
http://tools.ietf.org/html/rfc4034
http://tools.ietf.org/html/rfc4035
Thanks
Chris
Comcast
Re:migrate (Score:5, Informative)
Which is false. Im posting AC because I work in "Business Services" at comcast..
I don't know about this specific case but I do run in to this with "home office" accounts alot.
My bet his he wanted Business class internet and "Residential TV" at "Residential TV" costs.
The difference between Res and Biz TV? Well here in Connecticut mainly the COST.
It doesn't matter if its a night club or a guy running a WebDev company our of his attic...its a commercial account.
Biz class tv costs ALOT more then normal TV.
Biz class tv has all sorts of crazy rules and extra fee's to the content providers.
We can not offer VOD/"Pay Per-View" because the content providers are worried you will order it at your BAR and show everyone there for free...or charge at the door.
We can not offer DVR service because the content providers don't want you skipping all the commercials in your packed restaurant.
We can not offer Adult Content (PlayBoy/Spice/etc) to places of business because of the agreements we have with the city. (think of the children!)
on and on..
My bet is the guy in that linked story did not want to pay all this extra money for "less" TV.
The work around is simple: You get 2 account numbers,2 drops, and 2 bills. One is the biz-class internet which your company pays for and the other is your home TV.
Makes doing the taxes simple and if your company is paying you to telecommute you just hand them the whole Biz internet bill.
From what I can tell comcast doesn't care all that much about pushing Biz Class TV(at least in this state) because its to much of a PITA with the regs/fee's and in the end we don't make all that much on it.Not being able to put "upsells" on it like DVR/VOD hurts. The only thing its really good for is keeping ATT/DISH/etc OUT of your company and getting us in the door with the internet/phone.
Re:migrate (Score:5, Informative)
I opted out of Domain Helper by using manually configured DNS servers, OpenDNS at the moment. It seems if you manually migrate to their DNSSEC servers, Domain Helper goes away, as according to the FAQs the two are incompatible.
Re:migrate (Score:5, Informative)
Opting out of domain helper is as simple as changing your DNS servers in your router. Mine point to a OpenDNS (paid), and allow me to block a lot of advertising popups and under-lines.
Google also supplies free DNS servers (8.8.8.8 ).
To do this, I just bridged my router (The comcast business service box), they even told me how to do this. Then I use my own linux box to handle routing. But you can also set up your own dns sources using their box if you want.
The Business services bunch are a whole lot easier to deal with than the home services people.
OR.. at least migrate off Domain Helper, here: (Score:2, Informative)
Re:What is this? (Score:3, Informative)
In computer security circles Comcast is being congratulated for making this step and I certainly add my congratulations.
Oh, this will also be the end the odious Comcast DNS redirection scheme as DNSSEC will make it impossible once the top level domains (com, net, org, edu, gov etc) are signed. Comcast cannot become involved in any domain other than those they own. (E.g. comcast.com, comcast.net)